Method and apparatus for generating secret key in wireless communication network

ABSTRACT

A method and apparatus for generating a secret key includes: acquiring a random sequence by use of reciprocity of a radio channel; generating the secret key based on the random sequence; and stopping generating the secret key when it is determined that the radio channel is flat based on flatness measured from the radio channel.

CROSS-REFERENCE TO RELATED APPLICATION

This application claims priority to and the benefit of Korean PatentApplications Nos. 10-2015-0065133, 10-2015-0129291 and 10-2016-0057231filed in the Korean Intellectual Property Office on May 11, 2015, Sep.11, 2015, and May 10, 2016, respectively, the entire contents of whichare incorporated herein by reference.

BACKGROUND OF THE INVENTION

1. Field of the Invention

The present invention relates to a method and apparatus for generating asecret key for secure communication between terminals by using acharacteristic of a radio channel of a wireless communication network.

2. Description of the Related Art

In general, in wireless communication, two terminals share an identicalsecret key to perform secure communication for transmitting andreceiving secret messages. A public key cryptography scheme may be usedso that the two terminals may share the same secret key. The public keycryptography requires a key management infrastructure, and it may beavailable only when computing power of the terminal attempting to hackthe secret message is limited.

However, a distributed wireless communication system does not have suchinfrastructure. In addition, it is difficult to apply the conventionalpublic key cryptography scheme that restricts the computing power of theterminal attempting to wiretrap the secured message to the distributedwiress communication system.

The above information disclosed in this Background section is only forenhancement of understanding of the background of the invention andtherefore it may contain information that does not form the prior artthat is already known in this country to a person of ordinary skill inthe art.

SUMMARY OF THE INVENTION

An exemplary embodiment provides an apparatus for generating a secretkey by use of a characteristic of a radio channel.

Another exemplary embodiment provides a method for generating a secretkey by use of a characteristic of a radio channel.

According to an exemplary embodiment, a method for generating a secretkey for a secure communication is provided. The method includes:acquiring a random sequence by use of reciprocity of a radio channel;generating the secret key based on the random sequence; and stoppinggenerating the secret key when it is determined that the radio channelis flat based on flatness measured from the radio channel.

The acquiring of a random sequence may include quantizing a strengthindicator of a received signal.

The received signal may be a received probe request, or a received proberesponse to a transmitted probe request.

The received signal may be a received request to send (RTS) message or areceived clear to send (CTS) message in response to a transmitted RTSmessage.

The acquiring of a random sequence may include quantizing an impulseresponse to the radio channel.

The quantizing may include quantizing an impulse response of a dominantpath from among impulse responses to a multipath when the radio channelis configured with the multipath.

The acquiring of a random sequence may include quantizing a frequencyresponse to the radio channel.

The stopping of generating a secret key may include measuring at leastone of a peak-to-average power ratio (PAPR), an inverse peak-to-averagepower ratio (IPAPR), a spectral flatness measure (SFM), or a coherencebandwidth from a frequency response of the radio channel as theflatness.

The generating of a secret key may include: removing a differencebetween the random sequence and a random sequence acquired by anopposing terminal of the secure communication; and removing informationon randomness that may be leaked when the difference between the tworandom sequences is removed, from the random sequence.

The removing of information on randomness that may be leaked when thedifference between the two random sequences is removed, from the randomsequence, may include removing information on randomness that may beleaked when the difference between the two random sequences is removed,from the random sequence, by using a universal hash function.

According to another exemplary embodiment, an apparatus for generating asecret key including: at least one processor; a memory; and a radiofrequency unit, wherein the at least one processor performs at least oneprogram stored in the memory to perform acquiring a random sequence byuse of reciprocity of a radio channel, generating a secret key forsecure communication based on the random sequence, and stopping thegenerating of a secret key when it is determined that the radio channelis flat based on flatness measured from the radio channel, is provided.

When performing the acquiring of a random sequence, the at least oneprocessor may quantize a strength indicator of a received signal.

The received signal may be a received probe request, or a received proberesponse to a transmitted probe request.

The received signal may be a received request to send (RTS) message or areceived clear to send (CTS) message in response to a transmitted RTSmessage.

When performing the acquiring of a random sequence, the at least oneprocessor may perform quantizing an impulse response to the radiochannel.

When performing the quantizing, the at least one processor may performquantizing an impulse response of a dominant path from among impulseresponses to a multipath when the radio channel is configured with themultipath.

When performing the acquiring of a random sequence, the at least oneprocessor may perform quantizing a frequency response to the radiochannel.

When performing the generating of a secret key, the at least oneprocessor performs measuring at least one of a peak-to-average powerratio (PAPR), an inverse peak-to-average power ratio (IPAPR), a spectralflatness measure (SFM), or a coherence bandwidth from a frequencyresponse of the radio channel as the flatness.

When performing the generating of a secret key, the at least oneprocessor may perform: removing a difference between the random sequenceand a random sequence acquired by an opposing terminal of the securecommunication; and removing information on randomness that may be leakedwhen the difference between the two random sequences is removed, fromthe random sequence.

When performing the removing of information on randomness that may beleaked when the difference between the two random sequences is removed,from the random sequence, the at least one processor may performremoving information on randomness that may be leaked when thedifference between the two random sequences is removed, from the randomsequence, by using a universal hash function.

BRIEF DESCRIPTION OF THE DRAWINGS

FIG. 1 shows a flowchart for a method for sharing a secret key accordingto an exemplary embodiment.

FIG. 2 shows a graph for indicating a received signal strength indicatorof a radio channel according to an exemplary embodiment.

FIG. 3 shows a graph for indicating an impulse response of a radiochannel according to an exemplary embodiment.

FIG. 4 shows a graph for indicating a frequency response of a radiochannel according to an exemplary embodiment.

FIG. 5 shows a graph for indicating an upper limit of an amount ofinformation known on a final secret key by a third party according to anexemplary embodiment.

FIG. 6 shows a block diagram of a wireless communication systemaccording to an exemplary embodiment.

DETAILED DESCRIPTION OF THE EMBODIMENTS

In the following detailed description, only certain exemplaryembodiments of the present invention have been shown and described,simply by way of illustration. As those skilled in the art wouldrealize, the described embodiments may be modified in various differentways, all without departing from the spirit or scope of the presentinvention. Accordingly, the drawings and description are to be regardedas illustrative in nature and not restrictive, and like referencenumerals designate like elements throughout the specification.

Throughout the specification, a terminal may indicate a mobile station(MS), a mobile terminal (MT), an advanced mobile station (AMS), a highreliability mobile station (HR-MS), a subscriber station (SS), aportable subscriber station (PSS), an access terminal (AT), userequipment (UE), or a machine-type communication (MTC) device, and it mayinclude entire or partial functions of the MT, MS, AMS, HR-MS, SS, PSS,AT, UE, and MTC device.

FIG. 1 shows a flowchart for a method for sharing a secret key accordingto an exemplary embodiment.

According to an exemplary embodiment, a user of a terminal may turn onor turn off a secure communication function for the terminal. When thesecure communication function is in the on state, the user may determinestart or end of a secure communication. After the secure communicationfunction is turned on, the terminal may prepare the secure communicationbefore the start of the secure communication. As the preparation of thesecure communication, the terminal may save randomness acquired based oninsecure communication.

The secret key may be acquired by using the randomness of a radiochannel. That is, two terminals performing secure communication usechannel reciprocity of the radio channel, and remotely share a secretkey without an aid of the key management infrastructure according to asequential key distillation method to thus transmit and receive thesecret message. In the following, referred to FIG. 1, the method forgenerating a secret key performed when the secure communication functionof the terminal is in the on state is described in detail.

Referring to FIG. 1, a first terminal 100 and a second terminal 200 inwhich the secure communication function is in the on state respectivelyacquire a random sequence by estimating the radio channel (S110). Inthis instance, the random sequence acquired by the first terminal andthe second terminal include analogous randomness so the step S110 maybecome a step of sharing randomness.

To acquire sufficient randomness needed for acquiring the secure key,the respective terminals estimate a radio channel by transmitting andreceiving a message (S111), and use the estimating result of the radiochannel to acquire common randomness. Here, the acquired commonrandomness may be continuously updated. When the secure communication isstarted, the respective terminals may use the recently acquiredrandomness.

For example, a request to send (RTS) message and a clear to send (CTS)message that are transmitted between the terminals prior to datatransmission by the terminals may be used to estimate the radio channel.When the RTS message and the CTS message are used for the estimating theradio channel, each terminal may update the estimating result throughthe RTS message and the CTS message and may acquire the random sequencefrom the recently updated estimating result when the securecommunication is started. In another way, the respective terminals mayestimate the radio channel by using a probe request and a proberesponse.

The terminals acquire the random sequence by quantizing an estimationresult of the radio channel (S112).

According to an exemplary embodiment, as the estimation result of theradio channel, the received signal strength indicator (RSSI) of theradio channel, an impulse response, or a frequency response may be usedfor the quantization.

FIG. 2 shows a graph for indicating a received signal strength indicatorof a radio channel according to an exemplary embodiment.

Because of reciprocity of the channel, the radio channel when the firstterminal transmits a signal to the second terminal is very similar tothe radio channel when the second terminal transmits a signal to thefirst terminal. That is, referring to FIG. 2, the RSSI when the firstterminal receives the signal from the second terminal is very similar tothe RSSI when the second terminal receives the signal from the firstterminal. However, the RSSIs of the first terminal, the second terminal,and a third party have different patterns. Therefore, when the pointthat a characteristic of the radio channel is random and is uniquelydetermined by positions of a transmitter and a receiver, two usersattempting to perform secure communication may generate and share therandom sequence by quantizing an observation result of the radiochannel.

FIG. 3 shows a graph for indicating an impulse response of a radiochannel according to an exemplary embodiment.

In order for the first terminal and the second terminal to sharerandomness, the impulse response of the radio channel may be used. Thisis because the impulse response of the radio channel going to the secondterminal from the first terminal and the impulse response of the radiochannel going to the first terminal from the second terminal have verysimilar patterns due to reciprocity of the channel.

In this instance, in order for the two users attempting to performsecure communication to share randomness from the impulse response ofthe radio channel, the random sequence acquired from the impulseresponse of a path that has relatively high receiving power (i.e., adominant path) from among multiple paths configuring the impulseresponse of the radio channel on a time axis may be used as a commonrandom characteristic.

FIG. 4 shows a graph for indicating a frequency response of a radiochannel according to an exemplary embodiment.

In another way, the common random characteristic may be acquired throughthe frequency response of the radio channel that is equivalent to theimpulse response of the radio channel.

When the secure communication is started (S120), the respectiveterminals determine whether the random sequence for generating thesecret key is sufficiently provided (S130). The respective terminalsperform the step of sharing randomness again when the acquiredrandomness from the estimating result is less than the randomness forextracting the secret key. For example, the respective terminals mayadditionally transmit/receive the RTS message and the CTS message, orthe probe request and the probe response, so that the randomness isprovided additionally. In this instance, the respective terminals maystop acquiring the randomness when determining that they have obtainedsufficient randomness for secure communication.

The respective terminals may determine whether the sufficient randomnessis provided based on Equation 1.

$\begin{matrix}{N_{seq} \leq {\sum\limits_{i = 1}^{i}\; n_{i}}} & \left( {{Equation}\mspace{14mu} 1} \right)\end{matrix}$

In the equation 1, n_(i) is the length of the random sequence acquiredfrom the i-the channel estimation, and N_(seq) is the length of thepredetermined random sequence for acquiring the randomness sufficiently.Referring to the equation 1, when the sum of the length of the entiresequence acquired from the channel estimation is longer than thepredetermined sequence N_(seq), the respective terminal may determinethat the sufficient random sequence is provided.

Referring to FIG. 1 again, the terminals perform post-processing basedon the random sequence acquired by quantization (S140) to generate asecret key (S150). Information reconciliation (S141) is to remove adifference existing between the random sequences acquired by theterminals. For example, an error correcting code may be used for theinformation reconciliation. The first terminal and the second terminalremove information on common randomness that may be leaked (i.e.,information that may be acquired by the third party attempting tomonitor or wiretap communication) (N_(leak)) from the shared randomness(N_(seq)) to thus perform privacy amplification (S142). Part ofinformation of the common sequence transmitted/received by the terminalsduring the information reconciliation process may be wiretapped by thethird party, and a secret key unknown to the third party may beextracted from the common sequence by removing the leaked informationfrom the common sequence through the privacy amplification stage. Forexample, a universal hash function may be used for the privacyamplification.

Afterwards, the terminals perform the secure communication by using thegenerated secret key (S160). The secure communication may be terminatedby the user selection, etc.

When the characteristic of the radio channel estimated for an extractionof randomness is not frequency selective, that is, when the sufficientmultipath is not provided for the radio channel environment, acorrelation between randomness X shared by the first user and the seconduser and randomness Y acquired by the third party through wiretappingmay become bigger. When a correlation coefficient between a resultobserved by the first terminal or the second terminal and a resultobserved by the third party is set to be ρ, an amount of informationI(X, Y) on the random sequence shared by the first user and the seconduser that the third party may know based on the quantization result(e.g., the random sequence acquired through wiretapping) is expressed inEquation 2.

$\begin{matrix}{{I\left( {X,Y} \right)} = {{- \frac{1}{2}}{\log \left( {1 - \rho^{2}} \right)}}} & \left( {{Equation}\mspace{14mu} 2} \right)\end{matrix}$

The first user and the second user post-process (i.e., f(•)) the sharedrandom sequence to finally acquire the secret key. The amount ofinformation on the final secret key the third party may know based onthe randomness acquired by wiretapping has an upper limit according to adata processing inequality, as expressed in Equation 3.

$\begin{matrix}{{{I\left( {{f(X)},Y} \right)} \leq {I\left( {X,Y} \right)}} = {{- \frac{1}{2}}{\log \left( {1 - \rho^{2}} \right)}}} & \left( {{Equation}\mspace{14mu} 3} \right)\end{matrix}$

FIG. 5 shows a graph for indicating an upper limit of an amount ofinformation on a final secret key known by a third party according to anexemplary embodiment.

Referring to FIG. 5, when a correlation between a main channel (thechannel between the first user and the second user) and a wiretappingchannel (the channel between the first user or the second user and thethird party) increases, the third party may have a large amount ofinformation on the random sequence shared by the first user and thesecond user. In general, the correlation between the main channel andthe wiretapping channel is not known to the first user and the seconduser, so in this case, it is difficult to remove the information, whichis leaked to the third party in the step of the randomness extraction,through privacy amplification. Therefore, in this case, the third partymay know part of the secret key finally acquired by the first user andthe second user, and the secret key may not satisfy the security.

In an exemplary embodiment, the case in which security of the sharedsecret key is determined to be insufficient is selectively detected soexistence of a latent danger may be reported to the user. For example,when an insufficient multipath is provided to the radio channel, theterminal may stop the process for generating a secret key for securecommunication and may notify the user thereof. In another way, when aninsufficient multipath is provided to the radio channel, the terminalmay ask the user whether to stop the generation of a secret key forsecure communication, and it may be determined whether to continue thesecure communication depending on a selection by the user.

The correlation between the main channel and the wiretapping channel maybe proportional to flatness of the radio channel and may be inverselyproportional to a number of multipath components configuring the radiochannel. Therefore, regarding the terminal according to an exemplaryembodiment, flatness may be measured from the estimation result of theradio channel, and the generation of a secret key may be stopped whenthe terminals determine that the radio channel is flat. For example,when the flatness of the radio channel exceeds a predetermined thresholdvalue, the generation of the secret key may be stopped. Table 1 expressmeasures for measuring flatness of the radio channel frequency response.

TABLE 1 Measures Descriptions Inverse Peak-to- Average Power Ratio(IPAPR) $\frac{x_{rms}^{2}}{{x}_{peak}^{2}}$$\left( {{{x}_{peak}^{2} = {\max \left\{ {x_{1},x_{2},{.\;.\;.}\;,x_{N}} \right\}}},{x_{rms}^{2} = \sqrt{\frac{1}{N}\left( {x_{1} + x_{2} + \cdots + x_{N}} \right)}},} \right.$(The frequency response at the x_(i) = i-th subcarrier) SpectralFlatness Measure (SFM)${Flatness} = {\frac{{mean}_{geometric}}{{mean}_{arithmetic}} = {\frac{\sqrt[N]{\prod\limits_{i = 1}^{N}\; x_{i}}}{\frac{\sum\limits_{i = 1}^{N}\; x_{i}}{N}} = \frac{\exp \left( {\sum\limits_{i = 1}^{N}\; \left( {lnx}_{i} \right)} \right)}{\frac{1}{N}{\sum\limits_{i = 1}^{N}\; x_{i}}}}}$(The frequency response at the x_(i) = i-th subcarrier) Coherencebandwidth ${BW}_{coherence} = \frac{1}{\tau_{RMS}}$$\left( {{\tau_{RMS} = \sqrt{\frac{\int_{0}^{\infty}{\left( {\tau - \overset{\_}{\tau}} \right)^{2}{A_{c}(\tau)}\ {d\tau}}}{\int_{0}^{\infty}{{A_{c}(\tau)}\ {d\tau}}}}},{\overset{\_}{\tau} = \frac{\int_{0}^{\infty}{{{\tau A}_{c}(\tau)}\ {d\tau}}}{\int_{0}^{\infty}{{A_{c}(\tau)}\ {d\tau}}}},} \right.$τ = multipath delay, and A_(c) (τ) = gain of delay path)

That is, the terminal according to an exemplary embodiment may measureat least one of PAPR, the IPAPR, the SFM, or the coherence bandwidth asthe flatness of the radio channel. When the terminals determine that theradio channel is flat based on the flatness (that is, the radio channelis flat because the sufficient multipath is not provided), it may bedetermined that the security of the secret key to be generated is low.For example, when the IPAPR is measured as the flatness (that is, theIPAPR is a measurement result for the radio channel), it is determinedthat the security of the secret key to be generated is low when theIPAPR exceeds the predetermined threshold value. Afterwards, therespective terminals may stop generating a secret key and notify theuser that the secure communication may not be performed.

As described above, each terminal may perform the secure communicationwithout an aid of the infrastructure that managing the secret key bygenerating the secret key by use of the reciprocal characteristic of theradio channel. Further, by using the flatness on the estimated radiochannel, the case in which the channel correlation with a third partyattempting to wiretap the secure communication increases and thesecurity of the secret key may be lowered may be detected in advance.

FIG. 6 shows a block diagram of a wireless communication systemaccording to an exemplary embodiment.

Referring to FIG. 6, the wireless communication system according to anexemplary embodiment includes a base station 610 and a terminal 620.

The base station 610 includes a processor 611, a memory 612, and a radiofrequency (RF) unit 613. The memory 612 may be connected to theprocessor 611, and may store various kinds of information for drivingthe processor 611 or at least one program performed by the processor611. The radio frequency unit 613 may be connected to the processor 611and may transmit/receive a radio signal. The processor 611 may realize afunction, a process, or a method proposed by an exemplary embodiment ofthe present invention. In this instance, in the wireless communicationsystem according to an exemplary embodiment, a wireless interfaceprotocol layer may be realized by the processor 611. An operation of thebase station 610 according to an exemplary embodiment may be realized bythe processor 611.

The terminal 620 includes a processor 621, a memory 622, and a radiofrequency unit 623. The memory 622 may be connected to the processor621, and may store various kinds of information for driving theprocessor 621 or at least one program performed by the processor 621.The radio frequency unit 623 may be connected to the processor 621 andmay transmit/receive a radio signal. The processor 621 may realize afunction, a process, or a method proposed by an exemplary embodiment ofthe present invention. In this instance, in the wireless communicationsystem according to an exemplary embodiment, a wireless interfaceprotocol layer may be realized by the processor 621. An operation of theterminal 620 according to an exemplary embodiment may be realized by theprocessor 621.

In an exemplary embodiment of the present invention, the memory may beprovided inside or outside the processor, and the memory may beconnected to the processor by using various means known to a personskilled in the art. The memory is a volatile or non-volatile storagemedium in various formats, and for example, the memory may include aread-only memory (ROM) or a random access memory (RAM).

While this invention has been described in connection with what ispresently considered to be practical exemplary embodiments, it is to beunderstood that the invention is not limited to the disclosedembodiments, but, on the contrary, is intended to cover variousmodifications and equivalent arrangements included within the spirit andscope of the appended claims.

What is claimed is:
 1. A method for generating a secret key as a methodfor generating a secret key for secure communication, comprising:acquiring a random sequence by use of reciprocity of a radio channel;generating the secret key based on the random sequence; and stoppinggenerating the secret key when it is determined that the radio channelis flat based on flatness measured from the radio channel.
 2. The methodof claim 1, wherein the acquiring of a random sequence includesquantizing a strength indicator of a received signal.
 3. The method ofclaim 2, wherein the received signal is a received probe request, or areceived probe response to a transmitted probe request.
 4. The method ofclaim 2, wherein the received signal is a received request to send (RTS)message or a received clear to send (CTS) message in response to atransmitted RTS message.
 5. The method of claim 1, wherein the acquiringof a random sequence includes quantizing an impulse response to theradio channel.
 6. The method of claim 5, wherein the quantizing includesquantizing an impulse response of a dominant path from among impulseresponses to a multipath when the radio channel is configured with themultipath.
 7. The method of claim 1, wherein the acquiring of a randomsequence includes quantizing a frequency response to the radio channel.8. The method of claim 1, wherein the stopping of generating a secretkey includes measuring at least one of a peak-to-average power ratio(PAPR), an inverse peak-to-average power ratio (IPAPR), a spectralflatness measure (SFM), or a coherence bandwidth from a frequencyresponse of the radio channel as the flatness.
 9. The method of claim 1,wherein the generating of a secret key includes: removing a differencebetween the random sequence and a random sequence acquired by anopposing terminal of the secure communication; and removing informationon randomness that may be leaked when the difference between the tworandom sequences is removed, from the random sequence.
 10. The method ofclaim 9, wherein the removing of information on randomness that may beleaked when the difference between the two random sequences is removed,from the random sequence, includes removing information on randomnessthat may be leaked when the difference between the two random sequencesis removed, from the random sequence, by using a universal hashfunction.
 11. An apparatus for generating a secret key, comprising: atleast one processor; a memory; and a radio frequency unit, wherein theat least one processor performs at least one program stored in thememory to perform acquiring a random sequence by use of reciprocity of aradio channel, generating a secret key for secure communication based onthe random sequence, and stopping the generating of a secret key when itis determined that the radio channel is flat based on flatness measuredfrom the radio channel.
 12. The apparatus of claim 11, wherein whenperforming the acquiring of a random sequence, the at least oneprocessor quantizes a strength indicator of a received signal.
 13. Theapparatus of claim 12, wherein the received signal is a received proberequest, or a received probe response to a transmitted probe request.14. The apparatus of claim 12, wherein the received signal is a receivedrequest to send (RTS) message or a received clear to send (CTS) messagein response to a transmitted RTS message.
 15. The apparatus of claim 11,wherein when performing the acquiring of a random sequence, the at leastone processor performs quantizing an impulse response to the radiochannel.
 16. The apparatus of claim 15, wherein when performing thequantizing, the at least one processor performs quantizing an impulseresponse of a dominant path from among impulse responses to a multipathwhen the radio channel is configured with the multipath.
 17. Theapparatus of claim 11, wherein when performing the acquiring of a randomsequence, the at least one processor performs quantizing a frequencyresponse to the radio channel.
 18. The apparatus of claim 17, whereinwhen performing the stopping of generating a secret key, the at leastone processor performs measuring at least one of a peak-to-average powerratio (PAPR), an inverse peak-to-average power ratio (IPAPR), a spectralflatness measure (SFM), or a coherence bandwidth from a frequencyresponse of the radio channel as the flatness.
 19. The apparatus ofclaim 11, wherein when performing the generating of a secret key, the atleast one processor performs: removing a difference between the randomsequence and a random sequence acquired by an opposing terminal of thesecure communication; and removing information on randomness that may beleaked when the difference between the two random sequences is removed,from the random sequence.
 20. The apparatus of claim 19, wherein whenperforming the removing of information on randomness that may be leakedwhen the difference between the two random sequences is removed, fromthe random sequence, the at least one processor performs removinginformation on randomness that may be leaked when the difference betweenthe two random sequences is removed, from the random sequence, by usinga universal hash function.